As attacks surface, Sun ships sudden Java patch

As attacks surface, Sun ships sudden Java patch

Summary: In a sudden about-face, Sun has rushed out a Java update to fix a drive-by download vulnerability that exposed Windows users to in-the-wild malware attacks.

SHARE:

In a sudden about-face, Sun has rushed out a Java update to fix a drive-by download vulnerability that exposed Windows users to in-the-wild malware attacks.

The patch comes less than a week after Sun told a Google researcher it did not consider the issue serious enough to warrant an out-of-cycle patch and less than a day after researchers spotted live exploits on a booby-trapped song lyrics Web site.

The release notes that accompanies the new Java 6 Update 20 makes no mention of the public flaw disclosure or subsequent attacks but I've been able to confirm that the patch does cover the vulnerability released by Google security researcher Tavis Ormandy.

[ SEE: Researcher warns of dangerous Java flaw ]

After applying the fix on a Windows machine, Ormandy's proof-of-concept demo did not work.  Instead of opening the calculator application, I got an error message concerning the Java Virtual Machine Launcher:

The flaw, which was also discovered independently by Ruben Santamarta, occurs because the Java-Plugin Browser is running “javaws.exe” without validating command-line parameters.

Despite the absence of documentation, a researcher was about to figure out that Sun removed the code to run javaws.exe from the Java plugin.

Here is a link to download the patch from Sun's Web site.

[ SEE: Java zero-day flaw under active attack ]

The about-face by Sun is another sign that some big vendors still struggle to understand the importance of working closely with white hat researchers to understand the implications of certain vulnerabilities.  In this case, Google's Ormandy was forced to use the full-disclosure weapon to force the vendor into a proper response.

It's incomprehensible that a software vendor like Sun, now under Oracle's wings, could have misdiagnosed this vulnerability when Ormandy originally reported it.  It was clear, from the inception, that this was a "critical" issue that was found by several different hackers.  On Twitter, Ormandy said he had no information that the issue was already in the wild before he wielded the full-disclosure stick. However, he maintains "it was just too trivial for that not to be the case."

[ SEE: Responsible disclosure, the Microsoft way ]

To this date, Oracle Sun has not publicly commented or mentioned the public disclosure of an issue that's being actively exploited.

Speaking of irresponsible, here's what I saw when I applied the new Java update this morning.  Yes, checked by default.  Sigh.

Topics: Open Source, Oracle, Security, Software Development

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

53 comments
Log in or register to join the discussion
  • They drag their heels* to the plate

    then greet users and clients with pre-checked pitches for Bing or Google add-on crud. You gotta love it.

    * Heels in more ways than one.
    klumper
  • Yay, Symantec!

    I just tried the Test Page (without patching Java). The first time I tried it, it didn't work. Now it tried to do something, but it was blocked by Symantec Anti-virus. Score one for the good guys!
    andy88488
    • YEA AVG

      AVG caught it while the page was loading and blocked the site

      Gaxxis
      GAXXIS
    • Hmm, Symantec

      Our Symantic Endpoint Protection flags it as a virus, but still lets it run. SEP users keep an eye out.
      mzeller@...
  • RE: As attacks surface, Sun ships sudden Java patch

    Yeah, just what we all need, yet another toolbar to make
    our speedy machines run like our beloved old IBM PC XT
    did...slow.

    Still, I'm happy to see the patch hit. Beats Adobe's
    record
    KOS-MOS
  • I can't find the link to down the fix

    where's the link for the new or fix
    waynearcelectcom
  • Don't be tricked about the Java version number.

    Hi -

    Heads up!

    Sun has a small (albeit important) correction to make.

    Once you use the Java Control Panel to update, it says Version 20. However, when you install it and do "About," etc., It says Version 19.

    In Add/Remove Programs it is listed as Version 20.

    Small details do count.
    Smart_Neuron
    • rushed...

      i think version number display mistakes are a sign of a [b]really[/b] rushed update patch...
      erik.soderquist
  • RE: As attacks surface, Sun ships sudden Java patch

    Way to go Oracle! not Sun anymore but still. Just the other day Oracle said that there was no rush and that it would be put in the normal upgrade cycle which wouldn't come out until July! I was beginning to think it would be like MS and their fix for the browser glitch that showed up at the convention in Canada just what, a month ago? Glad to see that they stepped up and corrected it now.

    lrfocke
    Louis Ross Focke
  • Bing toolbar on Java update page

    And this is the same Sun that reached a settlement with M/s regarding the bastardised M/s version of Java ...?!
    mikew_z
  • RE: As attacks surface, Sun ships sudden Java patch

    I am still running Java jre1.5.0_11 Should I update to the latest version or is the old one safe?
    ts1946
    • test it

      the article provides a "safe" demo of the vulnerability, it launches the calculator application.

      the link is:
      http://lock.cmpxchg8b.com/bb5eafbc6c6e67e11c4afc88b4e1dd22/testcase.html
      erik.soderquist
      • AVG is keeping me safe

        AVG blocks that page.
        AV devlopers are way faster to cover those vulnerabilities that the software makers.
        Kualinar
      • Avast caught it

        Avast caught it. I have not installed the patch yet.
        Alzie
        • Yep..

          I uninstalled my 32bit java, but the new 64bit java for IE 8 was still insecure according to Secunia PSI. Oh Well! Maybe the Vista patch is late!

          Avast Pro v.5 definitely nailed that one!
          JCitizen
  • RE: As attacks surface, Sun ships sudden Java patch

    What do you think?

    What I think is that this entire article and fuss is
    all ado about nada. From what I have read in
    earlier articles and posts this is all BS, designed
    especially for the super tech types to weigh-in
    and try to prove how much they think they
    know.

    This is all baloney. If it wasn't then every
    swinging dick that is using Java on a windows
    machine would be getting their ass kicked, and
    it would be media central because every
    reporter on the planet would be getting
    affected.

    In other words, STFU.
    xsssx
    • ?????????????????????

      have you actually read about this or tested it yourself?

      the demo in the article proves it can launch an arbitrary executable on any vulnerable machine just by visiting the page. that alone is a critical security failure. for my own testing in a private environment, i confirmed that pretty much anything is open, including a silent background download and installation of whatever program i chose, completely without prompting of any kind, just by visiting the page.
      erik.soderquist
  • what does bing has to do with java?

    I guess it was a M$ vulnerability after all!
    Linux Geek
    • great...

      ... is there a limit to your cultist behaviour?


      Sun... sorry Oracle decided to include Bing search bar(and like every other crapware it's checked by default...) instead of the google bar(which was also checked by default like every other crapware)...


      It was a Java vulnerability... not a MS vulnerability... they just want to try to install crapware at the same time...
      Ceridan
      • crapware

        It's one of the worst plagues of computer software in recent times, the inclusion of these checked-by-default toolbars during installation.
        avoidz